How to enable audit logs of GCP secretmanager data access

Masato Naka
2 min readMar 3, 2023

Overview

It is of great importance that we can monitor audit logs for some GCP resources, e.g. secretmanager. In this post, I’ll cover how to enable and check the audit logs for secretmanager data access.

Steps

Create a secret

(and a version)

First, we can create a new secret called test-secret with password as its value using the following command:

echo -n "password" | gcloud secrets create test-secret --data-file=-

You can check the audit logs in Logs Explorer with the following query:

resource.type="audited_resource"
resource.labels.service="secretmanager.googleapis.com"

You’ll see the two method in the audit logs:

  1. google.cloud.secretmanager.v1.SecretManagerService.CreateSecret
  2. google.cloud.secretmanager.v1.SecretManagerService.AddSecretVersion

These audit logs belong to admin activity, which is enabled by default.

Access secret version

Now let’s access to the secret with the following command:

gcloud secrets versions access --secret=test-secret latest
password%

For now, you can’t see the audit log for this activity. As the AccessSecretVersion operation belongs to DATA_READ audit log category and it’s not enabled by default.

Enable DATA_READ

You can open the GCP console for iam-admin/audit from https://console.cloud.google.com/iam-admin/audit and you can find Secret manager API by filtering by Secret Manager in the filter box:

Admin Read, Data Read, Data Write are not enabled by default

Now you can check Data Read and save it from the right side panel:

Access secret (again)

To check if the audit log works correctly, let’s access to the secret again with the same command:

gcloud secrets versions access --secret=test-secret latest
password%

Check audit log

You can check with Logs Explorer with the following query:

protoPayload.serviceName="secretmanager.googleapis.com"
resource.type="audited_resource"
log_name="projects/<project_id>/logs/cloudaudit.googleapis.com%2Fdata_access"

You’ll see the audit log with the methodName google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion.

Summary

We can enable the audit logs for access secret version operation by enabling DATA_READso we can always check who’s accessed to the secret by the audit logs.

References

  1. https://cloud.google.com/secret-manager/docs/audit-logging#audited_operations
  2. Enable GCP Audit Logs with Terraform

--

--

Masato Naka

An SRE engineer, mainly working on Kubernetes. CKA (Feb 2021). His Interests include Cloud-Native application development, and machine learning.